I've been working with computer security since 1991. Nowadays I do quite a bit of public speaking on the topic. In fact, I have spoken eight times at either RSA Conference USA, RSA Conference Europe or RSA Conference Japan. You've even featured my picture on the walls of your conference walls among the 'industry experts'.

On December 20th, Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of your products, in exchange of $10 million. Your company has issued a statement on the topic, but you have not denied this particular claim. Eventually, NSA's random number generator was found to be flawed on purpose, in effect creating a back door. You had kept on using the generator for years despite widespread speculation that NSA had backdoored it.

As my reaction to this, I'm cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014.

Aptly enough, the talk I won't be delivering at RSA 2014 was titled "Governments as Malware Authors".

I don't really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway – why would they care about surveillance that's not targeted at them but at non-americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I'm a foreigner. And I'm withdrawing my support from your event.

Sincerely,

Mikko HypponenChief Research OfficerF-Secure

—————

Updated to add on the 8th of January 2014:

I was scheduled to deliver a talk at and participate in an FTC panel at the RSA Conference USA 2014.

Initially I only canceled my talk, as I didn't want to punish the FTC which had nothing to do with the events I was protesting about. However, partial participation sends mixed messages. I don't want to send mixed messages, so I have canceled all my appearances at RSA 2014. I'm sure the FTC will understand.

I can also confirm that F-Secure is not speaking, sponsoring or exhibiting at RSA Conference USA 2014.

While I am glad to see that many other speakers have decided to cancel their appearances at RSA 2014 in protest, I don't want to portray myself as a leader of a boycott. I did what I felt I had to do. Others are making their own decisions.

I have declined every interview on the topic and will continue to do so. This open letter says everything I want to say on this.